gryphon.ai - Trust and Security Portal

Trust and Security Portal

Gryphon takes the security of our services very seriously. The transparency around our controls, environment, and the standards and processes we adhere to is of utmost importance.

By using this portal, you can request access to our compliance documents and gain an understanding of our security posture.

Learn how we protect you
From technical to legal documentation and everything in between, we are dedicated to your safety at all times.

Access the documents you need
Gain access to the documented security protocols you need to stay safe.

Overview

Our product offerings, systems, and infrastructure are purpose-built to support the vast needs of our Enterprise clientele for security, compliance, and privacy.

Gryphon clients operate in the most highly regulated and scrutinized industries, including financial services, health, insurance, automotive, telecom, and utilities.

Learn more

Compliance

Gryphon is committed to complying with applicable security and data protection laws in order to make compliance easier for your business.

Our best practices include regular audits by third parties and maintaining compliance certification to provide industry-standard protections.

Learn more

our CERTIFICATIONS

Let's stay protected

Learn how we protect ourselves and our clients to ensure we all stay safe

Compliance Certifications

Cloud Provider Certifications

HIPAA PCI-DSS ISO 27001 ISO 27017 ISO 27018 SOC 1 SOC 2 SOC 3 CSA Star

HIPAA

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulates protecting the privacy and security of health information.

Gryphon can support HIPAA-related customer data after a Business Associate Agreement (BAA) has been properly executed with Gryphon.

PCI-DSS

The Payment Card Industry Data Security Standards (PCI DSS) is an information security standard designed to ensure companies processing, storing, or transmitting payment card information maintain a secure environment. Customers shall not transmit cardholder or sensitive authentication data (as those terms are defined in the PCI DSS standards) unless such data is message-level encrypted by the customer.

Gryphon's Attestation of Compliance is available to request by emailing Trust@gryphon.ai. (NDA Required)

ISO 27001

ISO-27001 (Google Cloud Platform)

The International Organization for Standardization 27001 Standard (ISO 27001) provides a framework for Information Security Management Systems (ISMS) to support continued confidentiality, integrity, and availability of information. These certifications run for 3 years and have annual surveillance audits.

Google Cloud Platform's ISO certificate is available for customers by emailing Trust@gryphon.ai (NDA Required).

ISO 27017

ISO 27018

SOC 1

SOC 1 (Google Cloud Platform)

A SOC1 report documents a cloud service providers internal controls that may be relevant to a customer's financial reporting. This report is also referred as SSAE18. SOC 1 Type 2 is a regularly refreshed report; you may request access to Gryphon's cloud providers report.

Google Cloud Platform's SOC1 is available for customers by emailing Trust@gryphon.ai (NDA Required).

SOC 2

SOC 2 (Google Cloud Platform)

The SOC 2 report (SSAE 18) is based on the American Institute of Certified Public Accountants' (AICPA). The purpose of this report is to evaluate an organization's information systems relevant to security, availability, processing integrity, confidentiality and privacy. You may request access to Gryphon's cloud providers report.

Google Cloud Platform's SOC2 is available for customers by emailing Trust@gryphon.ai (NDA Required).

SOC 3

SOC 3 (Google Cloud Platform)

Like SOC 2, the SOC 3 report was developed based on the American Institute of Certified Public Accountants' (AICPA). The SOC 3 is apbulic report of internal controls over security, availability, processing integrity, confidentiality and privacy. You may download Gryphon's cloud provider's SOC 3 below.

Google Cloud Platform's SOC 3 is available by emailing Trust@gryphon.ai (NDA Required).

CSA Star

POLICIES

Data Security

Data Retention and Disposal Data Encryption Data Loss Prevention

Data Retention and Disposal

Gryphon only retains personal data for the purpose of delivering services pursuant to client agreements, and compliance with all applicable laws and regulations. Personal data is disposed of when no longer required to meet contractual or legal obligations.

Data Encryption

Gryphon employs industry-standard encryption technology for data while in transit and at rest. Data at rest is encrypted using an AES-256 algorithm.

All communications over the Internet to Gryphon require in-transit encryption using TLS 1.2 or higher. The TLS protocol protects data moving between your site and Gryphon, and between services within Gryphon's product infrastructure.

Data Loss Prevention

Gryphon has a comprehensive DLP strategy based on industry best-practices, including identification and classification of sensitive data, robust access controls and entitlement reviews, hardened systems, encryption of data at rest and in transit, tools and processes to support alerting and incident response, and training for employees and stakeholders.

Network and Infrastructure Security

Infrastructure Network Physical Business Continuity & DR Wireless Networks Separate Environments

Infrastructure

Infrastructure
Security

Gryphon infrastructure is deployed using best practices for hardening systems including vulnerability scanning, security patching, secure coding practices, CIS standards for password strength and rotation, role-based access control, and removal of all default, shared, and/or unnecessary administrative and privileged service accounts. Access to all Gryphon infrastructure requires the use of an encrypted VPN with multi-factor authentication.

Network

Network Security

Gryphon uses Google Cloud Platform (GCP) as a cloud services provider. Gryphon utilizes GCP's Virtual Private Cloud capabilities to properly isolate resources on the network, exposing only minimally required endpoints to the Internet.

VPC Firewall rules are in place to restrict ingress from and egress to the Internet, as well as between internal resources, to only required sources, destinations, protocols and ports. We utilize GCP's CloudArmor to protect against DDoS and application-based attacks against our public-facing services.

Physical

Business Continuity & DR

Business Continuity and Disaster Recovery

Gryphon operates a geographically diverse cloud infrastructure, utilizing multiple regions and multiple zones within each region to deliver services. Applications are designed for high availability to minimize customer impact in the event of software or infrastructure failure.

Critical systems are backed up at appropriate intervals to optimize recovery time. Business Continuity and Disaster Recovery exercises are performed at least annually. For additional information, request our Business Continuity and Disaster Recovery executive summary by emailing Trust@gryphon.ai (NDA Required).

Wireless Networks

Separate Environments

Product and Application Security

Access Control Audit Logging SDLC Vulnerability & Patch Mgmt Single Sign-on

Access Control

Gryphon employs Role-Based Access Control (RBAC) for all information and IT assets across the company. Access levels are granted based on job responsibilties using the principle of least privilege, with access modified or revoked as needed when an employee's job responsibilities change. Entitlements are directory-managed, and reviews are conducted on a recurring basis. CIS Standards are applied to password strength and rotation requirements, and multi-factor authentication is in-place where supported.

Audit Logging

All critical services and processes write audit logs that record administrative, security, and data access events in a centralized location in the context of "who, what, where, and when." Centralized audit logging supports security and compliance activities, and enables effective and timely response to events impacting the performance and security of our services. All system and audit logs are retained for 12 months.

SDLC

Vulnerability & Patch Mgmt

Vulnerability and Patch Management

Gryphon employs third party security vendors to perform security, vulnerability and penetration testing for our products. Scans are run at least quarterly and findings are remediated according to severity and impact. Scans include both external and internal assets. Product code is continuously scanned using third-party tools as a part of the software development life cycle. Systems are patched on an ongoing basis based on severity and impact of vulnerabilities as they're identified. Automated tools are used in conjunction with monitoring advisory and security bulletins.

Single Sign-on

Corporate Security

Device Mgmt Endpoint Protection Employee Training Human Resources Incident Response Info Sec. Standards

Device Mgmt

Mobile Device Management

Gryphon utilizes enterprise mobile device management (MDM) solutions that enforce endpoint protection policies, local drive encryption, password strength and rotation requirements, idle time screen lock, and remote wipe capabilities on all employee workstations. Gryphon does not allow access to product infrastructure via mobile phones.

Endpoint Protection

Employee Training

Gryphon maintains a security awareness program that provides education on Gryphon's corporate security policies and current developments in the world of information security. All employee’s complete initial security fundamentals/awareness training and participate in quarterly training thereafter, and are required to acknowledge intent to comply with corporate security policies.

Human Resources

Incident Response

Gryphon maintains a formal Incident Management Policy, and procedures are reviewed and communicated on a periodic basis. Security incident response is managed by Gryphon staff in our Operations organization, with participation from third-parties as necessary. Incident response is active 24x7x365 to detect, respond to, and resolve all detected incidents. Gryphon will take appropriate action to contain, investigate, and mitigate any breach, and will notify external stakeholders as required by service agreements.

Info Sec. Standards

Reports

Penetration Test Report

Gryphon employs third party security vendors to perform Security, Vulnerability and Penetration testing for our products. Scans are performed in accordance with compliance requirements, and findings are remediated according to their severity and impact. An Executive Summary of our most recent external penetration test may be requested by emailing Trust@gryphon.ai (NDA Required).

Legal

Privacy Policy

Visit gryphon.ai to view Gryphon's Comprehensive Privacy Policy.

Data Security and PCI

Learn more from our security experts